The WorkFromHome Lab presents a multi-stage intrusion where Zero Divine-Unit's Security Operations Center detected anomalous outbound remote-access traffic and privileged authentication events from a Windows 10 workstation in the development network. The suspicious activity coincided with internal communications where a junior developer sought elevated credentials from a senior colleague, prompting immediate quarantine and forensic acquisition. This investigation examines the captured disk image along with chat transcripts and incident response notes to reconstruct how social engineering enabled technical exploitation leading to system compromise and data exfiltration.
The scenario demonstrates a methodical attack progression through initial access, reconnaissance, privilege escalation, defense evasion, persistence establishment, and data exfiltration. Each phase left distinct forensic artifacts across browser databases, application logs, Windows event logs, file system metadata, and registry hives. Throughout this walkthrough, we employ digital forensics tools to analyze these artifacts and reconstruct the attack timeline. The investigation leverages browser artifact analysis for tracking the initial compromise, remote access tool logs for understanding attacker communications, Windows Event Logs for authentication and privilege events, file system artifacts for program execution evidence, and registry analysis for persistence mechanisms.
This forensic methodology reflects real-world incident response workflows where investigators correlate evidence across multiple sources to understand attacker behavior and assess compromise scope. By working through these questions systematically, practitioners gain hands-on experienc